Sermon - TLIS - 1.5.1 - Manage Everything
Ephesians 6:11
Put on the full armor of God, so that you can take your stand against the devil’s schemes.
1 Corinthians 12:21
The eye cannot say to the hand, "I don’t need you!" And the head cannot say to the feet, "I don’t need you!"
James 2:8-11
If you really keep the royal law found in Scripture, "Love your neighbor as yourself," you are doing right. But if you show favoritism, you sin and are convicted by the law as lawbreakers. For whoever keeps the whole law and yet stumbles at just one point is guilty of breaking all of it. For he who said, "You shall not commit adultery," also said, "You shall not murder." If you do not commit adultery but do commit murder, you have become a lawbreaker.
I am an information security professional. I also teach other information security professionals. I do a lot of research, I read and review a lot of books, and I tell my colleagues which ones are good and useful for them in their work.
For a quarter of a century now I have also facilitated review seminars for those of my colleagues who are challenging for their certification as a professional. As a teacher I consider this to be the greatest gig in the world.
Normally you are not sure, when students show up in a class, whether they will have done the prerequisite work, reading, or additional study necessary to begin the learning that is necessary for the course you are presenting. That is not the case with these review seminars. Everyone is assumed not only to have studied in the field but to have had at least five years of active work experience in the field. Therefore this is not really an ordinary teaching job. I am not delivering information and pouring it into heads as some teachers seem to see their role. No, what I do is, with a group of colleagues, to demonstrate to them the entirety of what they need to know for their profession as we go through the material. If they are comfortable with everything that I am presenting then they are ready to challenge for the exam; however if they are uncomfortable with anything that we flip past, since we have to go at a great clip in order to cover all the material to be dealt with inside a one-week time period, that identifies for them the additional work and study that they have to do, on their own, in advance of taking the exam.
Over the years, of course, there have definitely been times when some of the candidates for the exam are not fully prepared: anything but. On these occasions it is usually a surprise to those candidates and, all too often, these are not unintelligent people. Very often the candidates who are not fully prepared are, in fact, extremely well versed in some of the areas of the subject matter. The thing is, what they didn't realise is that they have to be familiar with all of the different areas, not just the ones that they have specialised in.
In particular one of the subject areas that tends to get missed is the area of management, management of the security function itself. I always start with security management. I do this for two reasons. One is that I know that this is the area which most frequently trips up very clever candidates who just don't know the entire scope of their responsibilities. The other reason that I start with security management is that we have found, over the years, that it doesn't matter how good you are with the individual tools of security. You need to use all of them, and know how to manage all of them, working together. A lot of those wanting to go into security think that information security is primarily technical. The thing is, you can be really good with technical protections, and still leave huge gaping wholes in your security. Unless you *manage* your security properly.
And the first principle to teach in security management is: do the whole job.
I was out for a walk one morning, and, possibly due to the fog and below freezing temperatures last night, everywhere was incredibly slippery. At the same time, I did find some places where the homeowners had been actively shoveling their sidewalks, and keeping quite a wide path free down the center of the sidewalk, but not quite cleared to the edges of the sidewalk. Therefore, it seems to be time, once again, for "security is like shoveling sidewalks."
When you are shoveling sidewalks, or driveways, it is important to complete the job. This means clearing the sidewalk, or driveway, right to the edge, preferably clearing just slightly Beyond the edge of the pavement, so that the lawn, dirt, or gravel at the edge of the pavement is slightly exposed. If you don't clear right to the edge of the sidewalk, then, when slightly warmer temperatures come, and the snow starts to melt at the edges, the runoff water will run off onto the sidewalk or driveway. At night, when the temperatures fall, this water freezes into black ice. This is even more dangerous than not having the snow cleared completely. When I'm out walking, if I find a patch of black ice, I will, by preference, start walking on areas where the snow has not been completely cleared, since that gives me a bit of traction, which the black ice definitely does not.
This gives us our illustration of security. Sometimes I call this lesson "security is like a bridge, not a road." If you build a road halfway, it generally is at least of some use. It provides for an easier means of transport at least part of the way that you need to get some place. But if you build a bridge halfway, it's completely useless. There is absolutely nothing that it will do for you, since when you get to the end of a half finished bridge, you are hanging in mid-air, and have no other recourse than to retrace your steps and go back and start again. This is like security. If you don't finish the job with security, you end up in a situation that is even worse than if you didn't do any security at all.
Security is based on pretty simple concepts. But it's difficult to get security right, because you have to do the whole thing. There are generally a number of aspects and layers to security, and you've got to do all of them in order to complete the job. If you leave something undone, you leave a vulnerability or an open exploit, and generally speaking this vulnerability is one that you won't notice, until it's too late and someone has taken advantage of it. You have to do the whole job, or you are left with a situation that is even worse than not doing security, because you have a false sense of security, because you think you've done some security, when in fact you have left the back door wide open.
This is the same as shoveling snow off sidewalks. You think you've done a good job because you have cleared a path, right down to the bare pavement, down the middle of the sidewalk. You don't particularly care about the piles of snow at the edges of the sidewalk. But they are going to melt when temperatures get slightly warmer, and then the melt water is going to flow over the sidewalk, or driveway, and then, at night, it's going to freeze. It's going to freeze into a nice clear surface, which, from any distance, is indistinguishable from the pavement. And therefore you are not going to notice that you are on a surface which provides you with absolutely zero traction, until your feet start to go out from under you, and you are desperately trying to find traction on a tractionless surface.
So, finish the job.
You can be the world's best access control list writer for firewall architectures. If you don't know how to manage all that tool within the scope of all the other tools, then you don't have security. As a matter of fact it's almost better if you don't have any security at all than to mismanage the tools that you do have.
Well I hear you say, 'That's all very well and good but what does it have to do with the Christian life?' Well it has everything to do with the Christian life because "everything" is what you need to manage. In the same way that if you are managing security you have to manage all of the security, in your Christian life you not only have to be holy or righteous in one particular area. You have to be fully righteous. You have to be holy in everything.
The reason that you have to manage everything, when applied to security, can be seen fairly clearly. It doesn't matter if your doors are solid, well built, and locked, with strong locks that cannot be picked, if at the same time all of your windows are wide open. Burglars are not going to conveniently attack the one area that you have strengthened. No, burglars are devious, sneaky, and terrifically uncooperative with our attempts to secure our premises.
It doesn't matter how strong you make all the doors in your house if all the windows are wide open; those sneaky people will just walk right in through the windows.
And the same thing applies to our Christian life. Our adversary does not bother attacking us at our strongest point. If our faith is strong and unassailable the adversary will not bother with attacking our faith. The adversary will try niggling his way in by appealing to our weak points. If our weak point is, for example, alcoholic drinks, then our adversary will point out that Jesus turned water into wine! The adversary will point out that wine is mentioned throughout the Bible and very seldom does it seem to create any problems in the Bible. So what's the harm in just one drink?
Well of course if your weakness is alcohol and you are an alcoholic, then just one drink can set you off and very possibly lead to the destruction of your entire life. The adversary doesn't have to attack your faith. The alcohol will do it for him.
You can be faithful to your wife, but if you finance your lifestyle by committing fraud, then you have fallen short. You can be kind to your neighbor, but if you abuse your children, then you have fallen short. You have to manage everything in your spiritual life.
You may think that this is a pretty high standard. And, yes, it is. Of course, I'm not the one setting the standard: God is. Be perfect even as your father in heaven is perfect. That's the standard. That is the standard that we have to aspire to, because perfection is what God requires.
It's not just required in the Kingdom of Heaven. That standard is what we have to aspire to here on Earth, in certain areas. In security, a lot of people think that learning how to break into systems is good education for learning how to protect systems. To a certain extent, this is true. But, as I say to those who promote this kind of idea, there is one very essential difference between attacking systems and defending them. If you are a defender, you have to be absolutely right, every single time. If you are the attacker, you only have to be right once.
So, in security, we have the same high standard of perfection. You have to manage every aspect of security. You have to manage all of the security tools that you are using. The security tools that you are using have to have have to be perfect as well: they cannot have any imperfections or vulnerabilities. If there are any vulnerabilities, they have to be covered with a protection which is, itself, perfect. In security, you have to maintain this standard of perfection.
Which is, of course, impossible.
It's impossible in the real world. And it's impossible in the spiritual world, as well. We cannot be perfect. We are sinful, week, fallen creatures. We are not perfect.
Fortunately, unlike in security in the real world, God supports us in the spiritual realm. God makes provision for us. God gives us our food, God gives us our shelter, God gives us support from fellow Christians. God sends the Spirit to advise and comfort us, and to empower us to undertake certain tasks for Him. We can do much better with God's support then we can ever do under our own power.
But, we are, after all, sinful and fallen creatures. We are not perfect. And the standard is perfection.
Fortunately, of course, God has made provision for that too. Jesus has paid for all of our shortcomings. God has provided salvation for us. Through faith, and not of works. Since our works are, inevitably, imperfect.
Theological Lessons from Information Security
Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics
Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet
Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure
Sermon - TLIS - 10.5.1 - Privacy
Sermon TLIS - 10.6.1 / 54 - Liability and Negligence
No comments:
Post a Comment